Hmm not a bad Dive Op. Too bad it seems like they couldn't finish their wipe/shut down phase, and did a emergency cstop. Nice job on the minimal infection in the u.s. it's not about the amount of infected in a centralized system its about where. I wonder if this would really be classified as 'elite' though.

"Wear masks to move like the shadows, because the web is full of them." Web of Shadows

In the Spanish language, huh? It's possible the Spanish government did it, or some country in South America such as Brasil, Venezuela, Chile or Argentina which are plausibly resourceful and motivated enough to do this. Maybe even Cuba.

Can someone ELI5 why Adobe products are so freaking vulnerable? Every.Fucking.Time. It's more than likely Flash or PDF vectors.

Is it bad design?

Lazy, sloppy engineering. Probably because the crush to hit this quarter's numbers is more important than pushing out a quality product. Thus far, the fact that Java and a collection of Adobe products appear to be the gapingest holes allowing exploits through haven't hurt the bottom lines of Oracle or Adobe, so they have no real incentive to actually put the time in to fixing the problems.

As I recall, Oracle has left unpatched serious exploits for Java for months at a time. Adobe is slightly better, but they still appear to spend a lot of time putting out fires, rather than plugging holes before they become zero-day exploits.

Until the bottom line starts feeling it, and the boards and shareholders start putting pressure on, nothing will change.

Careto is not Spanish. The author confused it with the word "Careta" which is Spanish. Careto is Portuguese.

Based on "language" you would assume indeed it comes from Portugal or Brazil, knowing Brazil has hacker reputation I bet my changes on this one.

Actually my bet is it's from Spain, for two reasons. First, 'careto' is common slang in Spain, which refers to 'face'. It is only used in Spain as far as I know, I've never heard it used in other Spanish-speaking countries. Second reason is that most of the infected computers were in Morocco, and Spain would have (or actually has) lots reasons to want to spy on Moroccan issues. The two countries have been historically related, including some conflicts in recent years.

Careta and Careton is a slang used in Latin America, not Careto.

Is this used in Spain? Not sure. But I can bet you the malware name has nothing to do with a word slang. It has to do with the meaning of the word and what it represents. "Careto" is a festival, in particular in Brazil as well where people wear masks and it has something to do with evil.

This makes ALLOT more sense with what this software does, it hides, and does evil things.

I first imagined Spain because of the infections in Morroco, yes, you draw that conclusion at first but then again we don´t know if this has anything to do with anything. Its not uncommon for malware writers to use other languages and try to hide their identity. Now if we assume this is government malware, and the name has some meaning it surely has allot more sense with the festival of careto, there you also have a coincide with the masks. And malware does that, mask itself and do evil things.

Just because Morroco has more infections as well Spain means one thing so far, because they are neighbors, so one country next to the other would have a high rate infections, in particular if they are less tech and computer savvy, which is the case. It looks more like this to me. It could also mean someone tries to spy on Spain and Morocco is just collateral damage. All of this is just pure speculation of course.

It could be Portugal spying on Spain, why not....or Brazil or Spain or neither of them at all. Maybe just a criminal gang and not even government malware.

Allot means to distribute or assign. You're looking for 'a lot' here, but I bet you could find better word choice. Your sixth grade language arts teacher is very disappointed.

Can someone ELI5 why Adobe products are so freaking vulnerable? Every.Fucking.Time. It's more than likely Flash or PDF vectors.

Is it bad design?

Flash is really well designed, actually. It's not bad engineering or laziness, it's just that Flash has a huge runtime now. There's a lot going on in there, and just like any piece of complex software, there are bound to be obscure bugs. The fact that Flash runs almost everywhere means that it's a highly valuable target for a hacker. If you find something to exploit in Flash, you'll have yourself a widely-available attack vector. It's the same thing for Java. Or Windows, for that matter. Anything installed on the majority of Internet-connected devices looks like a giant red bullseye to a hacker.

In the Spanish language, huh? It's possible the Spanish government did it, or some country in South America such as Brasil, Venezuela, Chile or Argentina which are plausibly resourceful and motivated enough to do this. Maybe even Cuba.

OK, am I the only US citizen that is sick and tired of the constant ad campaign about US Cybercom, about how they are the first line of defense for the United States and how they are awake at all hours, protecting our national technology infrastructure from cyber attacks? Between Cybercom, NSA and the other US cyber agencies, where are these monster super secret behemoths while these hacks and attacks are going on? How about it Clapper, here's a chance to show the electronic consumer that at least some of their hard earned money you vacuum up is worth something. If you can't cough up a single real world terrorist attack your goons have thwarted, surely you can come up with one cyber attack you've stopped. Or should we put faith in AV companies from Russia or other countries to let us know you're not doing squat?

I agree with you that the NSA doesn't do squat but it is tricky business. Kaspersky is an AV company so it clearly benefits from the PR its exposures generate. The US government however might be better off if it silently monitors AND silently mitigates the threats, with bonus points for identifying, locating and apprehending or misleading perpetrators if they are truly dangerous. Because as soon as the news is out they close shop, disappear and return with an even more sophisticated approach.

Yes, "careto" is often used in Spanish. It's a common, slangy way to refer to someone's face ("cara"), facial expression, cheekiness, presence around, etc. It seems to originally refer to black horses and cows with a white face.

The more I read about these uber exploits on Ars (Duqu, Flame, now this and the virus that apparently was copying itself through wifi on that researchers computer, the NSA capabilities etc) the less confident I feel in my own skills.

Even knowing I probably dwarf 99% of the world population in IT know-how I realize I am outmanned, outgunned, outskilled and pretty much dead in the water.

I am just the receiving end like those other 99%, and will have to dedicate half my life to keep everything secure in real time, and that probably wont even make a big difference since most malwares are not even discovered.

Maybe I should just get myself a faraday cage and browse offline from now on.

Can someone explain to me why "we" are not going after the people who PAY these malware/spam artists? Follow the money, for pete's sake. Who pays these guys? PERHAPS it is the people who make the products the spam is trying to unload. Just perhaps. If it is not now illegal, make it illegal to hire these guys. Or just drop drones on them. I really don't care which.

In the Spanish language, huh? It's possible the Spanish government did it, or some country in South America such as Brasil, Venezuela, Chile or Argentina which are plausibly resourceful and motivated enough to do this. Maybe even Cuba.

Brazilians speak Portuguese.

Some of them do; most speak Spanish.

What an idiot!

Funnily enough Careto is portuguese not spanish

I have never heard the word "careto" in Brazil (it could be something regional, though). "Careta", on the other hand, means a face that has been distorted by gurning.Mask in Portuguese would be "máscara".

I take pleasure in arcane and enigmatic insinuations pertaining extremely sophisticated virus attacks. It smacks so much like a riveting concoction comprised of James Bond, Indiana Jones, some former Soviet Union super villain finally laced with a little bit of NSA rumors.

Hilarious.

Apart from the fact that this pathetic article tells nothing at all except for lukewarm rehashes the entire super-uber virus narrative gets more boring each time I stumble across one.

My take from the article is that some guy employed the old method of social engineering to lure some retarded dude on a bogus website. The most outrageous part of the story is that there are still users so flat out stupid they fall prey to this excessively primitive method. And finally lets not forget about the inane IT security manager still taking no measures to prevent shenanigans like that.

All in all a big laughingstock and shameful for the afflicted parties.

Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries.

How is this a good track record at all? In 4 years, only 380 victims...and spread over 31 countries...I don't see the awesomeness in that at all. More the opposite.

Calling it the most sophisticated malware-driven espionage campaign ever discovered, researchers said they have uncovered an attack dating back to at least 2007 that infected computers running the Windows, OS X, and Linux operating systems of 380 victims in 31 countries.

How is this a good track record at all? In 4 years, only 380 victims...and spread over 31 countries...I don't see the awesomeness in that at all. More the opposite.

If the goal was only to infect specific targets of value and draw as little attention as possible, this could be considered quite sophisticated compared to a more "brute force" approach where you spread your malware to as many victims as possible in the hopes that you snag something you want.

Can someone ELI5 why Adobe products are so freaking vulnerable? Every.Fucking.Time. It's more than likely Flash or PDF vectors.

Is it bad design?

They're nearly ubiquitous, which makes them a large target. For Flash, it can be exploited straight from the browser, which makes it even more attractive. For PDFs, you can mail them en masse to people and social engineer a nontrivial number of them into opening them, which also doesn't require all that much effort. And a lot of people run outdated Reader or Acrobat, which makes it even more attractive.

The three most common exploit paths for Windows machines I'm aware of are Flash, Java, and Reader/Acrobat. Keeping these off your system (or, if that's not possible, making sure they're always patched promptly after updates are issued) should be a priority for any security-minded individual; nothing's a cure-all, but you're going to decrease your attack surface a lot this way. Anti-virus software also helps (I recommend Kaspersky products if you're willing to pay and the free edition of Avast if you're not), but that in itself is not sufficient to keep your systems clean. There's a lot more to security than that.

As for APTs, they're very, very uncommon, mostly because they're extremely expensive and time-consuming to pull off and once they're discovered, their usefulness is highly diminished. For that reason, they're usually only leveraged against very high value targets, and they usually attempt to remain as quiet as possible. Paranoid folk often fall into the trap of thinking they're infected with an APT, but usually it's something a lot less menacing. If you're really and truly worried about APTs, your best bet is to hire an expert security consultant. I work in IT and have a focus on security but I still don't feel qualified to deal with an organization hit by an APT. It's something best left to professionals.

It's really frustrating that the linked PDF report doesn't mention which CA issued the certificates in question. If you know the presumably public CA, then it would be easy to find out where the process failed, i.e. how a fake company could get a CSR signed.

VeriSign was mentioned, but how the hell do they "blacklist" a valid certificate? They don't make browsers last I checked. If the certs were revoked, then they wouldn't be "valid."

OK, am I the only US citizen that is sick and tired of the constant ad campaign about US Cybercom, about how they are the first line of defense for the United States and how they are awake at all hours, protecting our national technology infrastructure from cyber attacks? Between Cybercom, NSA and the other US cyber agencies, where are these monster super secret behemoths while these hacks and attacks are going on? How about it Clapper, here's a chance to show the electronic consumer that at least some of their hard earned money you vacuum up is worth something. If you can't cough up a single real world terrorist attack your goons have thwarted, surely you can come up with one cyber attack you've stopped. Or should we put faith in AV companies from Russia or other countries to let us know you're not doing squat?

Considering that the largest target was Morroco I would guess Spain, but without knowing who owned those IP addresses it is hard to tell.

What is clear is that no one has a monopoly on cyber attacks. I hope whoever greenlighted Flame thought the consequences through, as other nations will(have) launch attacks now that this is "acceptable" behavior.

I have to disagree with putting malware that had less then 400 infections and MIGHT have had Android and iOS versions in the sophisicated category.

It is of some concern that a bit of malware has been in operation since 2007, and ONLY infected 400 systems. It just means that it ONLY NEEDED to infect the 400 targeted systems to accomplish its task.

We're slowly approaching the state outlined in the Curious Yellow whitepaper. That was written back in 2002. Many "advanced" worms (including this one) use centralized C&C servers instead of a DHT network, only a few of the latest ones have started to remove the need for C&C servers. This probably means that we haven't detected any of the truly advanced worms, just the low-hanging fruit.

In the Spanish language, huh? It's possible the Spanish government did it, or some country in South America such as Brasil, Venezuela, Chile or Argentina which are plausibly resourceful and motivated enough to do this. Maybe even Cuba.

Brazilians speak Portuguese.

Some of them do; most speak Spanish.

What an idiot!

Funnily enough Careto is portuguese not spanish

Just for the record:

"Mask" in Portuguese is "Máscara". "Careta" in Portuguese means "Grimace""Careto" is a carnival ritual envolving masks in northern Portugal.

Can someone ELI5 why Adobe products are so freaking vulnerable? Every.Fucking.Time. It's more than likely Flash or PDF vectors.

Is it bad design?

Flash is really well designed, actually. It's not bad engineering or laziness, it's just that Flash has a huge runtime now. There's a lot going on in there, and just like any piece of complex software, there are bound to be obscure bugs. The fact that Flash runs almost everywhere means that it's a highly valuable target for a hacker. If you find something to exploit in Flash, you'll have yourself a widely-available attack vector. It's the same thing for Java. Or Windows, for that matter. Anything installed on the majority of Internet-connected devices looks like a giant red bullseye to a hacker.

Agreed.

Acrobat tightened up its security a decent amount some years ago - what did we get? More Java exploits.

If Java got tightened up, we'd probably see a different vector emerge as the go-to.

Can someone explain to me how this is accomplished on a Linux cient without a user elevating?

3 ways right off the top of my head:a) Local exploit in the kernel or something that's SUID rootb) sudoc) Social engineering

I list "sudo" on there separately because there is nothing keeping the user/sysadmin from configuring sudo to not require a password before running the specfied command with elevated privileges.

Most Mac and Linux users are deluded into believing that viruses/rootkits/trojans/etc are a Windows-only problem. Said Mac and Linux users are frequently just as bad as Windows users at not updating their systems. Heck, they probably picked up that habit when they were Windows users. Consider the popularity of stuff like Ubuntu - easy to install, but with literally non-existent security updates once it's more than 9 months old.

I, for one, will NEVER run a non-LTS release of Ubuntu for exactly that reason.

My Linux installs are CentOS/RHEL or Ubuntu LTS. Period. Exclusively because they have long support lifetimes and security bugs (hypothetically) get fixed. Compare the 9 month lifecycle for a regular Ubuntu release with the 5 YEAR lifecycle for Ubuntu LTS, or 10 YEARS for CentOS/RHEL or MS Windows.

I might sound like I'm painting all end users in the same light here, and I know that not all end users are grossly negiligent with system updates, but the ones that aren't are few and far between.

One other thing to point out: malware doesn't need elevation to do it's thing. It depends on what the malware author intended the program to do. A program that's going to sit in the background and mine bitcoins, brute-force password hashes, participate in DDoS attacks, brute-force passwords on "remote" machines - LAN or over the internet, or capture keystrokes doesn't need elevation.

Considering that the largest target was Morroco I would guess Spain, but without knowing who owned those IP addresses it is hard to tell.

What is clear is that no one has a monopoly on cyber attacks. I hope whoever greenlighted Flame thought the consequences through, as other nations will(have) launch attacks now that this is "acceptable" behavior.

Do we not assume that this has been, for quite some time, "acceptable" behavior? Whereas acceptable behavior should read past behavior?

I'm willing to bet that Mask, Flame, Stutnex, Duqu are all just the tip of the iceberg. That for every piece of malware unearthed, there's at least 10 more instances operating in the background and we're just not aware. This and the (not-at-all-surprising) NSA revelations, I kind of want to live in a dirt shack now.

Yes, "careto" is often used in Spanish. It's a common, slangy way to refer to someone's face ("cara"), facial expression, cheekiness, presence around, etc. It seems to originally refer to black horses and cows with a white face.

Careto also means mask in Spanish, is a bit archaic but the meaning still holds

They do, its just not published in the media, probably someone was shot today by the CIA in some Eastern Country which was making malware.. this route is far cheaper and more effective when dealing with real dangers.

Until they shoot the wrong guy.

I'm pretty sure whatever you're advocating doesn't have a 100% accuracy rate. You can only kill the wrong guy so many times, which means you can only launch so many assassination missions.

There are too many hackers out there for CIA to assassinate. The error rate multiplied by the sheer number of hackers winds up looking like an ordinary war instead of a covert operation.